On Sat, Aug 14, 2021 at 1:18 PM Dan Book <grinnz@gmail.com> wrote: > On Sat, Aug 14, 2021 at 4:15 AM Achim Gratz <Stromeko@nexgo.de> wrote: > >> "Ricardo Signes" writes: >> > I have attached a fix for a bug in Encode, registered as >> > CVE-2021-36770. This bug replaces the contents of @INC with a >> > predictable integer, which is treated as a directory relative to the >> > current working directory, long enough to execute one "require". >> >> I've decided to put a different fix in Cygwin's Perl: >> >> --8<---------------cut here---------------start------------->8--- >> --- origsrc/perl-5.32.1/cpan/Encode/Encode.pm >> +++ src/perl-5.32.1/cpan/Encode/Encode.pm >> @@ -65,8 +65,7 @@ >> eval { >> local $SIG{__DIE__}; >> local $SIG{__WARN__}; >> - local @INC = @INC || (); >> - pop @INC if $INC[-1] eq '.'; >> + local @INC = ( substr( $INC{"Encode.pm"}, 0, -length( "/Encode.pm" >> )) ); # where enc2xs would have installed it >> require Encode::ConfigLocal; >> }; >> >> >> --8<---------------cut here---------------end--------------->8--- >> > > A less fragile version of this would be: > > require File::Basename; > local @INC = File::Basename::dirname($INC{'Encode.pm'}); > And probably should be using __FILE__ instead of the %INC entry since this *is* Encode.pm. -DanThread Previous | Thread Next